HTC IQRD Android Permission Leakage

Release Date 2012-04-20
Application IQRD on HTC Android Phones
Discovered by Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status Patch Released
CVE Candidate CVE-2012-2217
Reference Original Advisory

Product Description

The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a "porting layer" that allows the Carrier IQ service to perform specific actions that may vary by device.

Vulnerability Details

On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions.

In particular, it is possible for malicious applications to:

  1. Trigger UI popup messages
  2. Generate tones
  3. Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud
  4. Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network

Versions Affected

The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on AT&T.

Vendor Response

The following timeline details HTC's response to the reported issue:

2011-12-22 Vulnerability reported to HTC
2011-12-28 HTC confirms receipt, indicates that fix is planned for early 2012
2012-03-10 VSR requests status update
2012-03-16 HTC confirms fix has been published
2012-03-26 HTC requests clarification on finding
2012-03-26 VSR provides clarification on finding, requests confirmation on status of fix
2012-04-02 HTC provides confirmation of fix, requests further clarification
2012-04-02 VSR provides clarification on finding
2012-04-12 VSR provides draft advisory to HTC
2012-04-13 HTC provides corrections to advisory, requests disclosure date
2012-04-20 Coordinated disclosure

Recommendation

HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu -> Settings -> System Updates -> HTC Software Update -> Check Now.

The following software versions on Sprint are confirmed to resolve this issue:

HTC EVO 4G 4.67.651.3
HTC EVO Design 4G 2.12.651.5
HTC EVO Shift 4G 2.77.651.3
HTC EVO 3D 2.17.651.5
HTC EVO View 4G 2.23.651.1

The following software versions on AT&T are confirmed to resolve this issue:

HTC Vivid 3.26.502.56

All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability.

Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to HTC for their response and fix.


References

1. Carrier IQ

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2012 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com